Quarkus HTTPS with KeyStore SPI

tsaarni · tsaarni · commit 7352bccab622 · 2023-11-03T09:20:05.000+02:00
Signed-off-by: Tero Saarni &lt;tero.saarni@est.tech&gt;
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/VertxCustomizer.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/VertxCustomizer.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.quarkus.runtime;
+
+import org.jboss.logging.Logger;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.quarkus.runtime.integration.QuarkusKeycloakSessionFactory;
+import org.keycloak.keystore.KeyStoreProvider;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.KeyStoreBuilderParameters;
+import javax.net.ssl.X509KeyManager;
+
+import io.quarkus.vertx.http.HttpServerOptionsCustomizer;
+import io.vertx.core.http.HttpServerOptions;
+import io.vertx.core.net.KeyCertOptions;
+import jakarta.enterprise.context.ApplicationScoped;
+
+@ApplicationScoped
+public class VertxCustomizer implements HttpServerOptionsCustomizer {
+
+    private static final Logger log = Logger.getLogger(VertxCustomizer.class);
+
+    @Override
+    public void customizeHttpsServer(HttpServerOptions options) {
+        try {
+            QuarkusKeycloakSessionFactory instance = QuarkusKeycloakSessionFactory.getInstance();
+            KeycloakSession session = instance.create();
+
+            KeyStore.Builder ksb = session.getProvider(KeyStoreProvider.class)
+                    .loadKeyStoreBuilder(KeyStoreProvider.HTTPS_SERVER_KEYSTORE);
+            if (ksb != null) {
+                log.info("Setting KeyStore to Vert.x");
+                KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
+                kmf.init(new KeyStoreBuilderParameters(ksb));
+                KeyCertOptions kco = KeyCertOptions.wrap((X509KeyManager) kmf.getKeyManagers()[0]);
+                options.setKeyCertOptions(kco);
+            }
+        } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
+            log.error("Failed to set KeyManager: " + e.toString());
+            throw new RuntimeException("Failed to set KeyManager: " + e.toString());
+        }
+
+    }
+}
diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HttpPropertyMappers.java
@@ -64,25 +64,25 @@ public static PropertyMapper[] getHttpPropertyMappers() {
                         .paramLabel("protocols")
                         .build(),
                 fromOption(HttpOptions.HTTPS_CERTIFICATE_FILE)
-                        .to("quarkus.http.ssl.certificate.files")
+                        .to("kc.spi-keystore-default-https-certificate-file")
                         .paramLabel("file")
                         .build(),
                 fromOption(HttpOptions.HTTPS_CERTIFICATE_KEY_FILE)
-                        .to("quarkus.http.ssl.certificate.key-files")
+                        .to("kc.spi-keystore-default-https-certificate-key-file")
                         .paramLabel("file")
                         .build(),
                 fromOption(HttpOptions.HTTPS_KEY_STORE_FILE
-                            .withRuntimeSpecificDefault(getDefaultKeystorePathValue()))
-                        .to("quarkus.http.ssl.certificate.key-store-file")
+                        .withRuntimeSpecificDefault(getDefaultKeystorePathValue()))
+                        .to("kc.spi-keystore-default-https-keystore-file")
                         .paramLabel("file")
                         .build(),
                 fromOption(HttpOptions.HTTPS_KEY_STORE_PASSWORD)
-                        .to("quarkus.http.ssl.certificate.key-store-password")
+                        .to("kc.spi-keystore-default-https-keystore-password")
                         .paramLabel("password")
                         .isMasked(true)
                         .build(),
                 fromOption(HttpOptions.HTTPS_KEY_STORE_TYPE)
-                        .to("quarkus.http.ssl.certificate.key-store-file-type")
+                        .to("kc.spi-keystore-default-https-keystore-type")
                         .mapFrom(SecurityOptions.FIPS_MODE.getKey())
                         .transformer(HttpPropertyMappers::resolveKeyStoreType)
                         .paramLabel("type")
@@ -118,7 +118,7 @@ private static Optional<String> getHttpEnabledTransformer(Optional<String> value
             ConfigValue proceed = context.proceed("kc.https-certificate-file");
 
             if (proceed == null || proceed.getValue() == null) {
-                proceed = getMapper("quarkus.http.ssl.certificate.key-store-file").getConfigValue(context);
+                proceed = getMapper("kc.spi-keystore-default-https-keystore-file").getConfigValue(context);
             }
 
             if (proceed == null || proceed.getValue() == null) {
@@ -157,4 +157,3 @@ private static Optional<String> resolveKeyStoreType(Optional<String> value,
         return value;
     }
 }
-
